1) Rig OpenLDAP so all password changes get sent to the kerberos
server but do not use it for authentication. In the meantime we will
continue authenticate with the SSHA1 hashes in the user's LDAP
entry.

The usual way to do this on most *nix systems is to actually 'rig' the
PAM. In debian for example you setup your /etc/pam.d/common-password to
contain something like:
password sufficient pam_krb5.so ignore_root
password required pam_unix.so nullok obscure min=4 max=8 sha256
use_first_pass
this sets up most of your tools to use the right modules when changing
the password, e.g. 'passwd'.

Hi Brend,

Sorry - Bernd (typo),

Thanks for the reply.
Unfortunately there's a problem with that - the user would need their
old kerberos password before they could initiate a change and in this
case, their old kerberos password is unknown because Kerberos has only
just existed.

I do not know if you could do something like 'referring' a password
change request from the OpenLDAP server to the kerberos server but since
this would be an invitation von mitm attacks I doubt it.

It will be a bit of a pity in this case if it's not possible :(
When using password hashes in the user entry, does slapd receive the
plaintext password or does the client generate the hash?

Sorry also - that was ambiguous. Add "when changing a password" to the
above sentence -